Re: [leaf-user] help - need ipchain command to block a single ip

Fri, 11 Oct 2002 08:33:02 -0700 

On Fri, 11 Oct 2002, Doug Hite wrote:

> Hello all,
> 
> I'm believe I'm currently being scanned on one of my 
> LEAF routers (this one is still an EigerStien I think), 
> all from a single ip.  It of course is filling
> up my logs, and eventually stops my dhcpd server.
> The log analyser at http://www.echogent.com/cgi-bin/fwlog.pl
> from this packet 
> 
> Oct 10 20:48:57 isdnfirewall kernel: Packet log: remote DENY eth0 
> PROTO=6 216.224.239.106:58047 209.251.232.19:135 L=44 S=0x00 
> I=9912 F=0x4000 T=107 SYN (#9) 
> 
> gives this response
> 
> You're very likely under attack here.

This particular destination port is the Microsft RPC (DCOM) service port.

On its own, even repeated, I wouldn't automatically conclude you are
"under attack".  Someone might have mistakenly put your ip address in
someplace(typo), or you might be running software from inside your
firewall that is prompting the server to try to get some more information
from you (check netstat -Mlen for connections).  (I don't think your ISP
has your ip address correctly reverse dns mapped, so some servers might
try alternate methods of reverse mapping.)

If it is part of a sequence of destination ports, then you are more likely
"under attack".

> I used to have the syntax to completely block a single
> ip, but I seem to have lost it, and my searches have
> come up empty.  Can someone give me the syntax to
> block this offender ?  I don't mind only plugging it in at
> the command line - this router gets rebooted only
> every 6 months or so - by that time, the person
> may have lost interest.

You need to insert a rule into the input chain for interface eth0 that
denies (drops) all packets arriving from ip 216.224.239.106, without
logging:

ipchains -I input -j DENY -i eth0 -s 216.224.239.106

---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<[EMAIL PROTECTED]>        Basics: ##.#.       ##.#.  Live Go...
                                      Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
---------------------------------------------------------------------------



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to